Transcript Privacy - Kutztown University

Privacy
CSC385
Kutztown University
Fall 2009
Oskars J. Rieksts
Notes on Privacy
Based on Lawrence Snyder
 Fluency in Information Technology
 Augmented with my notes
 See also:
http://faculty.kutztown.edu/rieksts/385/
topics/privacy/notes.html

2009
Kutztown University
2
Outline








Privacy basics
Threats to privacy
Personal information control
FIP principles
Privacy practices
Cookies
Cryptography
Data mining
2009
Kutztown University
3
Privacy Basics
Definition – “The right of people to choose freely
under what circumstances and to what extent
they will reveal themselves to others.” – p. 481
 Rieksts: Privacy is the cornerstone of selfhood
 Modern devices & privacy
 Chief Justice, Louis Brandeis

2009
Kutztown University
4
Basis of Privacy Conflict
 Modern
life requires
 Revelation of information
 Financial transactions
 Applications
 Medical services
 Etc.
2009
Kutztown University
5
Basic Privacy Issue


Ownership of information
Related IT ownership issue
 Your machine
 Contents of your machine
 Files
 Software
2009
Kutztown University
6
Threats to Privacy

Criminal element
 Identity theft
 Cyber-stalking
 Organized crime

Business & industry
 Marketing
 Employment
2009
Kutztown University
7
Threats to Privacy


Enemies of public safety
Governments
 Totalitarian regimes
 Overzealous public servants

Social engineers
2009
Kutztown University
8
Spectrum of Personal Information
Control

The lens
 Transaction produces information

Basic categories
 No uses
 Opt-In or Approval
 Opt-Out or Objection
 Internal use only
 No limits
2009
Kutztown University
9
Storage & Use
beyond transactional necessity

No uses
 Delete information
 Upon completion of transaction

Opt-In
 Permission must be requested
 Explicit approval required
2009
Kutztown University
10
Storage & Use
beyond transactional necessity

Opt-Out
 S&U is OK
 Unless specifically objected to

Internal use only
 S&U OK
 Only for business itself

No limits
2009
Kutztown University
11
FIP Principles
FIP = fair information practices
 Standard 8 point list
 Developed in 1980 by OECD
 OECD = Organization of Economic
Cooperation and Development

2009
Kutztown University
12
Eight FIP Principles








Limited Collection
Quality
Purpose
Use Limitation
Security
Openness
Participation
Accountability
2009
Kutztown University
13
Limited Collection Principle


Limits to data collected
Collection by
 Fair means
 Lawful means

Knowledge & consent required
 If possible
 When appropriate
2009
Kutztown University
14
Quality Principle

Relevance
 Data must be relevant
 to collection purpose

Data must be
 Accurate
 Complete
 Up to date
2009
Kutztown University
15
Purpose Principle


Purpose of collection stated
Use limitation
 Use limited to . .
 stated purpose
2009
Kutztown University
16
Use Limitation Principle



Data not to be disclosed
No use for other purposes
Unless . .
 Consent given by individual
 Authority granted by law
2009
Kutztown University
17
Security Principle


Data controller must . .
Exercise reasonable security measures
2009
Kutztown University
18
Openness Principle



Data collection policies & practices . .
Open to the public
Public knowledge of . .
 Existence of data
 Kind of data
 Purpose/use of data
 Identity & contact information of
 Data controller
2009
Kutztown University
19
Participation Principle

Individual able to determine . .
 Whether data controller has information
 What the information is


Denial of access can be challenged
Information can be challenged
2009
Kutztown University
20
Accountability Principle


Data controller accountable . .
for FIP Principles compliance
2009
Kutztown University
21
Privacy Practices – EU

European Union
Accepts OECD FIP principles

Has European Data Protection Directive

EU citizen protection standard

 Extends beyond EU borders
2009
Kutztown University
22
Privacy Practices – U.S.A.




Sectoral approach
Freedom of Information Act – 1966
Privacy Act of 1974 (wrt government)
Electronics Communication Privacy Act –
1986
Video Privacy Protection Act – 1988
 Telephone Consumer Protection Act –
1991
 Drivers Privacy Protection Act – 1994

2009
Kutztown University
23
Freedom of Information Act – Links




One
Two
Three
Four
2009
Kutztown University
24
Privacy Act of 1974 – Links



One
Two
Three
2009
Kutztown University
25
Electronic Communications Privacy
Act

One

Two
Three
Efforts to update


2009
Kutztown University
26
Video Privacy Protection Act



One
Two
Three
2009
Kutztown University
27
Telephone Consumer Protection Act
 One
 Two
 Three
2009
Kutztown University
28
Driver Privacy Protection Act




One
Two
Three
Four
2009
Kutztown University
29
Privacy Advocacy

EPIC
 Electronic Privacy Information Center
 About
 Home Page


Privacy Rights Clearinghouse
Electronic Frontier Foundation
 About
 Wikipedia
2009
Kutztown University
30
Cookies



7-field record
Uniquely identifies . .
customer session on website
2009
Kutztown University
31
Cookies – 3rd Party Problem

Advertiser on contacted website
 Client/server relationship with customer
 Allows 3rd party cookies
 Placed
 Accessed
 from various sites
 Discussion
2009
Kutztown University
32